Another OpenSSL High Severity Vulnerability

An update to the widely used OpenSSL crypto library will come out Thursday, July 9th. The new versions of OpenSSL, versions 1.0.2d and 1.0.1p, address a single security vulnerability classified as “high severity,” the OpenSSL Project Team announced on Monday. There aren’t many more details about the mystery security vulnerability available yet, except for the fact that the security vulnerability doesn’t affect the 1.0.0 or 0.9.8 series.

“The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p,” developer Mark J Cox announced in a mailing list note published yesterday.”

“These releases will be made available on 9th July. They will fix a single security defect classified as ‘high’ severity. This defect does not affect the 1.0.0 or 0.9.8 releases.”

The announcement of the new variants of OpenSSL was made in the concisest fashion possible, to prevent cyber attackers from exploiting the hole before the fix is released to the public.

Some security experts have speculated that this high severity bug could be another Heartbleed or POODLE bug that were considered to be the worst TLS/SSL vulnerabilities still believed to be affecting websites on Internet today.

What does this mean for FileMaker Users?

It looks like this vulnerability affects FileMaker Versions 13 and 14, as the files state they are running OpenSSL 1.0.1i. FileMaker 12 is in the 1.0.0 series and FileMaker 11 is in the 0.9.8 series, so those versions should be okay. We will, of course, have to wait for FileMaker to make a formal announcement regarding any update, but in the meantime, keep it on your radar!

Background

Heartbleed, discovered in April last year, was a bug in an earlier version of OpenSSL that allowed hackers to read sensitive contents of victims’ encrypted data, including credit card details and even steal crypto SSL keys from Internet servers or client software.

Months later, another critical flaw known as POODLE – Padding Oracle On Downgraded Legacy Encryption – was unearthed in the decade old but widely used SSL 3.0 cryptographic protocol that allowed attackers to decrypt the contents of encrypted connections.

However, a bunch of high severity vulnerabilities were fixed in March this year, which included denial-of-service (DoS) flaw (CVE-2015-0291) that allowed attackers to crash online services, and FREAK (CVE-2015-0204) that allowed attackers to force clients to use weaker encryption.

An update to the widely used OpenSSL crypto library will come out Thursday, July...

About

We provide robust, feature rich cloud FileMaker hosting solutions. Our cloud based FileMaker solutions offer the freedom and control of dedicated FileMaker servers with the added flexibility and scalability of the cloud. In addition, every solution comes with guidance and support from our experienced engineers.